Catching the Internet's spies in Iran and elsewhere

In August, Google introduced a new, if rather obscure,
security feature to its Chrome web browser, designed to
be triggered only under extreme circumstances.

If you were talking to Google's servers using the web's
secure "https" protocol, your browser makes a number of checks to
ensure that you are really talking to
Google's servers. Like an overly obsessive bouncer, the new code double-checks
the identity of any supposed Google site against a Chrome-only list of valid
Google identities hardwired into the browser.

The feature was experimental, so Google only included checks
for its own websites. This week, a handful of Chrome users visiting Gmail and
other Google sites triggered the warning, and contacted Google. According to Google's later reporting, the affected users were
"primarily located" in Iran.

What does this mean? It means that somebody in Iran had gone
to great lengths to intercept supposedly secure Internet traffic, including
Gmail messages.

This was not a trivial undertaking. The Iranian users'
reports reveal what must have happened. The snoopers' associates had either broken
into or defrauded the Dutch Internet security firm DigiNotar, and obtained from
them a fake digital identity document, an https certificate, in the name of
Google. They then redirected Google traffic within Iran, and used the certificate to
masquerade as Google. With those capabilities, the party would be able to
intercept and collect any private communications between Iranians and Google,
including supposedly highly secure Gmail messages.

The combination of a targeted attack and the commandeering of
at least two Internet service providers suggests a highly organized
attempt to spy on a large number of Iranian Net users' secure communications. The
obvious, but unproven, candidate for this seems to be some element of the
Iranian security forces.

If state security agents are working in cooperation with
criminals in repressive countries like Iran, it will be unsurprising if one
of the groups that governments and organized crime most wish to silence is
targeted: journalists.

It is also important, however, to note what we cannot yet
conclude. Firstly, we do not know the extent of the Iranian surveillance.
Google only spotted the attack on its own services because the company had
added specific extra checks in its browser for its own websites. Many other
websites' communications may have been compromised with no chance of detection.

The company most responsible for allowing this attack has
not helped. Despite its clear involvement, DigiNotar has remained largely
silent about the attack and has failed to notify other sites that may have been
compromised. For instance, DigiNotar only informed the Tor Project, a software
regularly used by at-risk journalists to communicate anonymously on the
Internet, after the group directly requested confirmation that it had
been targeted. (If you are in Iran
and downloaded the Tor software recently, you should check the signatures of the files you
downloaded.) Press reports have suggested that more than
200 sites may have been affected.

While all eyes are on Iran, the country remains one of
the few nations that would have a need to defraud Western companies in order to
conduct such surveillance. Many governments, including countries with a poor
reputation for defending freedom of expression or privacy, are able
to generate any number of fake digital certificates on their own authority.

The current dependence of secure Internet traffic on a few,
potentially insecure commercial companies is a profound flaw, but fixes are
being worked on. One useful browser add-on that vulnerable groups should
consider using is Convergence,
which conducts a similar double-check to Chrome but has the potential to compare
with multiple sources. The tool, still in its early stages, would have spotted
the Iranian attack.

Experts can build tools to detect spying on https traffic
partly because such encrypted, authenticated communications are inherently
harder to spy upon. By contrast, every state, and many criminal and commercial
groups, can trivially spy on unencrypted data with no chance of being spotted.
Almost all of the communications of journalists and news media, including
messages between sources and reporters, continue to pass over the Internet with
no protection from snooping at all.

Detectable surveillance will always represent the tip of the
iceberg. Journalists who expect attacks from criminals or even their own
governments need to take proactive steps, including using https
and tools like Tor, and protect themselves, even if they know those protections
are now under concerted attack.

San Francisco-based CPJ Internet Advocacy Coordinator Danny O’Brien has worked globally as a journalist and activist covering technology and digital rights. Follow him on Twitter @danny_at_cpj.